What is a key derivation function?

A KDF transforms a low-entropy password into a high-entropy cryptographic key, intentionally slowly. The slowness makes brute-force attacks expensive. PBKDF2, scrypt, bcrypt and Argon2 are the four major KDF families. Crypto wallets use them to encrypt your seed before storing it on disk.

Why is scrypt better than PBKDF2 for wallets?

Scrypt is memory-hard. PBKDF2 only requires CPU time, which GPUs and ASICs can accelerate massively (millions of guesses per second on consumer GPUs). Scrypt requires a configurable amount of memory per guess (e.g., 256 MB at N=262144), which forces attackers to use expensive RAM. A scrypt wallet is roughly 1000-10000x harder to brute-force than a PBKDF2 wallet at equivalent CPU cost.

Is Argon2 the best choice?

Argon2id (the modern default) is the winner of the 2015 Password Hashing Competition and provides both memory hardness and side-channel resistance. It is strictly better than scrypt by 2026 best-practice standards. However, very few crypto wallets have migrated yet. MetaMask announced an Argon2 migration but it has been delayed for years. New designs (Cake Wallet, some newer hardware wallets) use Argon2id.

What KDF parameters mean a wallet is uncrackable?

Argon2id with t>=3, m>=64MB, p>=1 OR scrypt with N>=131072, r>=8, p>=1, given a random password 14+ characters long. This combination makes brute force economically infeasible at consumer GPU prices. PBKDF2-only wallets (any iteration count) plus a memorable password are NEVER cryptographically uncrackable - economics, not math, is the only barrier.

BIP39 vs PBKDF2 vs Scrypt vs Argon2 — Why Some Wallets Are Crackable

Q: Why is BIP39 PBKDF2 only 2048 iterations?

BIP39's 2048 iterations is intentionally low because the input is a 128-256 bit BIP39 mnemonic - already high-entropy. The salt is 'mnemonic' + optional passphrase. The slow KDF is not protecting the mnemonic itself (it is already secure) but the optional passphrase. This makes Trezor/Ledger passphrase brute-force tractable - see our passphrase guide.

A KDF is the tool that turns a human-typeable password into a cryptographic key. The two mandatory properties: it must be deterministic (same password → same key) and it must be slow enough that an attacker cannot try billions of guesses per second. Different KDFs achieve "slow" in different ways, and those differences directly determine recovery feasibility.

The four major KDF families

PBKDF2 (2000)

Password-Based Key Derivation Function 2 from RSA Labs. Conceptually trivial: HMAC the password+salt N times. Slowness comes purely from CPU iterations. Crucially, PBKDF2 has no memory cost — a GPU can run thousands of instances in parallel using only registers and L1 cache. This is why PBKDF2-protected wallets fall so quickly.

Bcrypt (1999)

Designed for password hashing in Unix systems. Uses a modified Blowfish cipher with adjustable cost. Modest memory footprint (4 KB). Mostly uncommon in crypto wallets because it lacks key-stretching to arbitrary lengths.

Scrypt (2009)

Designed by Colin Percival explicitly to thwart custom hardware attacks. Uses a configurable amount of memory (parameter N controls memory and time). At N=262144, r=8, p=1 each candidate requires 256 MB. A consumer GPU has 8-24 GB total — so it can only run 30-90 parallel scrypt instances, not millions. Hence the 50 H/s number for high-cost MEW.

Argon2 (2015)

Winner of the Password Hashing Competition. Three variants: Argon2d (data-dependent, stronger vs GPU), Argon2i (data-independent, side-channel resistant), Argon2id (hybrid, modern default). Strictly better than scrypt by current standards but slow adoption in crypto wallets.

Side-by-side throughput on RTX 4090

KDF	Parameters	RAM / candidate	H/s (single 4090)	Used in
PBKDF2-SHA256	10K iter	~1 KB	~9M	MetaMask
PBKDF2-SHA256	100K iter	~1 KB	~200K	Phantom
PBKDF2-SHA512	2K iter	~1 KB	~50K	BIP39 mnemonic
PBKDF2-SHA512	5K iter	~1 KB	~310K	Coinomi, Jaxx
PBKDF2-SHA256	25K iter (Bitcoin Core)	~1 KB	~50K	wallet.dat
Scrypt	N=8192 r=8 p=1	8 MB	~1.2K	MEW low-cost
Scrypt	N=16384 r=8 p=1	16 MB	~600	Trust Wallet
Scrypt	N=131072 r=8 p=1	128 MB	~80	BIP38 paper wallets
Scrypt	N=262144 r=8 p=1	256 MB	~50	MEW high-cost, Geth
Argon2id	t=3 m=64MB p=1	64 MB	~150	Cake Wallet, newer

Why BIP39 uses such weak parameters

BIP39 specifies seed = PBKDF2-HMAC-SHA512(mnemonic, "mnemonic" + passphrase, 2048 iterations, 64 bytes). 2048 iterations is laughably low by general standards. The reason is intentional:

# BIP39 entropy budget
12 words = 11 bits/word x 12 = 132 bits (128 entropy + 4 checksum)
24 words = 11 bits/word x 24 = 264 bits (256 entropy + 8 checksum)

# A 12-word mnemonic has 128 bits of entropy.
# 2^128 = 3.4e38 candidates - already infeasible to brute-force
# regardless of KDF speed.

# The KDF protects the OPTIONAL passphrase, not the mnemonic.
# Since most users have no passphrase, low iterations are fine.
# Users WITH a passphrase have their security in the passphrase
# strength, not the iteration count.

This design choice is also why Trezor / Ledger passphrase brute-force is feasible — see our Trezor passphrase guide.

Memory hardness — the killer feature

A consumer GPU has 16-24 GB of VRAM. With PBKDF2 (1 KB per candidate), it can run 16 million parallel candidates. With scrypt N=262144 (256 MB per candidate), it can run only 64-96. The 250,000x reduction in parallelism is precisely the protection scrypt offers.

ASIC-level analysis: a custom chip optimized for SHA-256 can do PBKDF2 attacks at terahash-per-second speeds. A custom chip for scrypt is bottlenecked by memory bandwidth — and modern DRAM costs are not falling fast. This is why Litecoin (scrypt PoW) resisted ASICs for years.

Per-wallet KDF audit

Wallet	KDF used	Verdict
MetaMask	PBKDF2 10K iter	Weak — Argon2 migration overdue
Phantom	PBKDF2 100K iter	Better but still PBKDF2
Bitcoin Core	SHA-512 + AES, ~25K iter	Old design
Electrum	PBKDF2-SHA512 1024 iter	Very weak; relies on password strength
MEW (default)	Scrypt N=262144	Strong
Trust Wallet	Scrypt N=16384	Acceptable
BIP38 paper wallet	Scrypt N=16384 (some N=131072)	Strong
Coinomi	PBKDF2-SHA512 5-16K iter	Weak
Cake Wallet (Monero)	Argon2id	Best in class

Implication for password choice: If your wallet is PBKDF2-based (most browser-extension wallets), your password length is the only protection. A 16-char random password gives ~96 bits of entropy — uncrackable even on weak KDFs. A 6-char "password1" — recoverable in seconds regardless of how many iterations the wallet uses.

What "uncrackable" actually means

A password is practically uncrackable when its entropy times the KDF cost exceeds the global compute budget. Concretely:

# Bitcoin network does ~6e20 SHA-256 ops/sec (April 2026)
# Re-purposed to crack PBKDF2-SHA256 10K iter MetaMask:
#   60 quintillion / 10K = 6e16 H/s effective
# A 14-char fully-random password has ~95 bits = 4e28 candidates
# Total time = 4e28 / 6e16 = 7e11 seconds = 22000 years

# So even with the entire Bitcoin network for one purpose,
# a 14-char random MetaMask password is uncrackable.

# But: a 6-char "password" + 2 digits (rockyou-style) is in the
# top 10000 most common patterns. Any GPU finds it in milliseconds.

Related guides

Frequently asked questions

What is a KDF?

A function that turns a password into a key, intentionally slowly to thwart brute force. PBKDF2, scrypt, bcrypt, Argon2.

Why is BIP39 PBKDF2 only 2048 iterations?

The mnemonic itself is high-entropy. Low iteration count protects only the optional passphrase.

Why is scrypt better than PBKDF2?

Memory hardness — GPUs cannot run millions of parallel scrypt candidates due to RAM cost.

Is Argon2 the best?

Argon2id is current best practice. Few wallets have migrated.

What KDF parameters mean uncrackable?

Argon2id t=3, m=64MB OR scrypt N=131072+ AND a 14+ char random password.

Find out which KDF protects your wallet

Submit your wallet for free analysis. We auto-detect the KDF, iteration count and memory parameters, and tell you the realistic feasibility before you pay anything.

Submit wallet Free KDF check